Broadband Tech > Security > Security > Need help nabbing a Spammer

Need help nabbing a Spammer

d2.zip 2,222 bytes (d2.txt)

This sounds like an exellent idea I wished I had the expertiese to assist.
Would I be wrong in compareing this to the triangulation practices used by the FCC for radio, would it work the same.
For example if a dedicated computerwas established at the NE ans NW corner states and one on the south Gulf coast midpoint of the US that a permenant monitoring could be established

reply to NetWatchMan
Better to go after the sites he is spamming for. What are some of the sites? Open up your firewall briefly and let some of it through to find out which sites it is using.
[text was edited by author 2003-09-20 18:18:57]

reply to NetWatchMan

MessengerSpams.zip 45,970 bytes Messenger Spam Packet Captures Zipped

Okay, several of those have the following reg info:

Registrant:
d squared
PO BOX 927142
San Diego, CA 92129-7142
US

Domain Name: DEFEATMESSENGER.COM

Administrative Contact:
SpamSlammers
Admin
PO BOX 927142
San Diego, CA 92129-7142
US
800-453-3422
msgaway2003@yahoo.com

Technical Contact, Zone Contact:
d squared
Admin
PO BOX 927142
San Diego, CA 92129-7142
US
800-453-3422
msgaway2003@yahoo.com

Domain created on 19-Dec-2002
Domain expires on 19-Dec-2003
Last updated on 08-Sep-2003

Domain servers in listed order:

NS.SPEEDYPACKETS.COM
NS2.SPEEDYPACKETS.COM

Given that he owns several of these domains, he's probably sending these directly rather than through another company.

reply to NetWatchMan
Check it out, someone's already hunting these D Squared guys.

»www.popupspamsucks.com/d-squared···ons.html

reply to NetWatchMan
And a nasty letter from the spammers. »www.popupspamsucks.com/threat.html

reply to NetWatchMan
I notice the letter for this bunch of spam bait:
Procopio, Cory, Hargreaves & Savitch LLP
530 B Street, 21st Floor
San Diego, CA 92101

Telephone:
619-238-1900
619-235-0398 (fax)

North County Office
Procopio, Cory, Hargreaves & Savitch LLP
1917 Palomar Oaks Way, Suite 300
Carlsbad, CA 92008

Telephone:
760-931-9700
760-931-1155 (fax)

E-Mail:
law@procopio.com

reply to NetWatchMan
I think since the original page might be deleted and the link stop working, that that is adequate reason to post the entire revealing page here (not something I would normally do moderator):
=====================================================
PopUpSpamSucks

Messenger Service Spam Hall of Shame. D Squared Solutions LLC

This is the page D Squared Solutions LLC's lawyer demanded be removed in its entirety when they threatened our web host.
Legal Threat - Final Warning

Having seemingly been kicked off their Exodus.Net hosting at 64.70.45.200 it appears that the D Squared spam operation has now moved its spamming headquarters out of country and into China. They now appear to be sending spams from a variety of addresses on the NH-CABLE-COM-CN Network.

New Identified PopUp Spam Addresses sending spams advertising D Squared Solutions LLC sites:
210.5.22.10
210.5.22.11
210.5.22.17
210.5.22.18
210.5.22.19
210.5.22.20
210.5.22.21
210.5.22.22
210.5.22.23

These new addresses already grace 2 pages of our spam database at the time of writing (06-20-2003). Database Entries. We are sure you will recognise many of these ads and some will likely be surprised that they all appear to be the work of the same spam outfit. As these machines appear to be running the Linux OS and it is reasonably safe to assume that these machines are running socks5 proxy service on non default ports and the spam is being relayed from San Diego through these proxies. Over the past couple of weeks we have received some interesting responses requesting in regard to our requests for more info on this outfit. We are currently working on verifying submitted information before publishing.

inetnum: 210.5.22.0 - 210.5.22.31
netname: NH-CABLE-COM-CN
descr: Nanhan da road, Gui Cheng district Nanhaicity ,Guangdongprovince,
descr: china
country: CN
admin-c: BF14-AP
tech-c: HO31-AP
mnt-by: MAINT-CN-GUANGTONG
changed: hostmaster@optisp.com 20020411
status: ASSIGNED NON-PORTABLE
source: APNIC
changed: hm-changed@apnic.net 20020827
person: Ben Feng
address: Room 5806-07, CITIC Plaza,#233, Tianhebei Rd. Guangzhou, GD
country: CN
phone: +8620-38771150-2801
fax-no: +8620-38771150-2801
e-mail: ben@optisp.com
nic-hdl: BF14-AP
mnt-by: MAINT-NEW
changed: hostmaster@apnic.net 20011019
source: APNIC

person: Hostmaster OPTISP
address: Guangtong IDC, 3/F, #58 Jianzhong Rd. Ruanjianyuan, Guangzhou,GD, P.R.China
country: CN
phone: +8620-85559257
fax-no: +8620-85532360
e-mail: hostmaster@optisp.com
nic-hdl: HO31-AP
mnt-by: MAINT-NEW
changed: hostmaster@optisp.com 20020311
source: APNIC

Update

D Squared Solutions LLC Finally Unmasked.

We are sure that by now many of our readers that have been repeatedly spammed by these people (who in OUR OPINION are scumbags) are itching to know who is behind D Squared Solutions LLC. We are now able to identify two of the faces behind the spam operation and throw in some other rather interesting supportive facts. It took many hours of diligent research and piecing together many fragments of evidence to arrive at these these results and be able to provide the required proof before writing.

It is a fact that this companies ads create an ongoing spam nuisance, then claim they are trying to help people fight the spam by selling them a message blocking program to block the spam, their company sends. What if we were to tell you that the very same company also sell spam tools? Hypocritical in our opinion maybe that they spam you 10 times a day claiming they want to help you fight spam by selling you an ad blocker yet on the other hand are selling tools to spammers? It appears that these people (who in OUR OPINION are scumbags) are playing both sides of the fence.

D Squared Solutions LLC is owned by one Anish Dhingra who also incidentally runs www.broadcastmarketer.com which sells popup spam tools. How do we know? Following the links to the buy now page takes you to the billing details which clearly states at the bottom of the page. Interesting links: Jenett Radio three quarters of the way down the page entitled AOL Blocks Messenger Spam. News.Com article quoting Dhingra. Badads.Org article entitled AOL, Spammer dukes it out. CERT article. OnlineJournalism.Com article entitled AOL battles against instant spam. Dmsolutions.net article about spam.

NOTE:
Your credit card statement will report this charge as:
"D Squared Solutions"

[Amendment] The above information has now been removed from the billing details page but it still shows "squaredbilling" in the url »ignite.combustionlabs.com/square···eter.php

A Whois lookup provides further information verifying that the domain belongs to the same outfit.

Registrant:
d squared
PO BOX 927142
San Diego, CA 92129-7142
US

Domain Name: BROADCASTMARKETER.COM

Administrative Contact:
SpamSlammers (Interesting inclusion in their domain details - this *is not* related to us)
Admin
PO BOX 927142
San Diego, CA 92129-7142
US
800-453-3422
msgaway2003@yahoo.com

Technical Contact, Zone Contact:
d squared
Admin
PO BOX 927142
San Diego, CA 92129-7142
US
800-453-3422
msgaway2003@yahoo.com

Domain created on 20-Oct-2002
Domain expires on 20-Oct-2004
Last updated on 13-Feb-2003

Domain servers in listed order:

NS.COMBUSTIONLABS.COM
NS2.COMBUSTIONLABS.COM

We also found another domain belonging to them using the same combustionlabs.com nameservers which is www.oktanedesign.com

What else do we know about Anish Dhingra?

More facts of interest are to be found here which name Anish Dhingra as the head of Broadcast Marketer which incidentally looks like a tool made by a child after downloading the demo version and installing it on a test computer. I would rate it about 2 out of 10 if I had the slightest interest in reviewing scumware of this type.

We are reliably informed that Anish Dhingra lives at the below address which was also further confirmed by their lawyer.

Anish Dhingra
5240 Fiore Terrace
J317 , CA 92122
661-755-3656
anishd@san.rr.com

You can contact Anish Dhingra at the above address.

We are further informed by the same anonymous source that supplied the above these are other contact numbers for Anish Dhingra and Jeff Davis.

Anish Dhingra 858-245-1842

Anish Dhingra & Jeff Davis (Home) 858-794-7060

Jeff Davis 858-220-1248

BroadcastMarketer
Anish Dhingra, president
Phone: 858-455-1617
E-mail: customerservice@broadcastmarketer.com

Items above in italics sourced from BadAds.Org who also invite you to "write these poor misguided folks and reeducate them"

We have also good reason to believe that Jeff Davis is also a partner in D Squared Solutions LLC and this would possibly account for the name D Squared (D to the power of 2) Dhingra and Davis.

Their Broadcast Marketer program contains some interesting strings viewable with a hex editor showing the below

e:\Documents and Settings\jdavis\My Documents\Visual Studio Projects\BroadcastMarketer\Release\BroadcastMarketer.pdb

The above shows that the user account on the computer used to compile the Broadcast Market program was called "jdavis" and was written in Microsoft Visual C++ which further bears out the theory that Jeff Davis is a partner in D Squared Solutions LLC.

New Spam Domain WWW.MSGBLOCKER.COM

This appears to have all the hallmarks of one of their domains, if it isn't theirs then their hosts must be harbouring even more spammers with almost identical
operations.

Domain Name: MSGBLOCKER.COM
Registrar: NAMESDIRECT.COM, INC.
Whois Server: whois.namesdirect.com
Referral URL: »www.namesdirect.com
Name Server: NS1.MEGANAMESERVERS.COM
Name Server: NS2.MEGANAMESERVERS.COM
Name Server: NS3.MEGANAMESERVERS.COM
Status: ACTIVE
Updated Date: 20-apr-2003
Creation Date: 02-apr-2003
Expiration Date: 02-apr-2004

Registrant:
msgBLOCKER
msgBLOCKER
msgBLOCKER, msgBLOCKER msgBLOCKER
US

Registrar: NAMESDIRECT
Domain Name: MSGBLOCKER.COM
Created on: 01-APR-03
Expires on: 02-APR-04
Last Updated on: 20-APR-03

Administrative, Technical Contact:
BLOCKER, msg support@msgblocker.com
msgBLOCKER
msgBLOCKER
msgBLOCKER, msgBLOCKER msgBLOCKER
US
msgBLOCKER

Domain servers in listed order:
NS1.MEGANAMESERVERS.COM
NS2.MEGANAMESERVERS.COM
NS3.MEGANAMESERVERS.COM
=================================================
Those guys were intruding into my NAT router dozens of times a days for several weeks.
[text was edited by author 2003-09-20 20:48:08]

reply to NetWatchMan
Again, the original spam fighting site might be shut down and the link to there rendered unusable, so I'm duplicating its contents here, not something I would otherwise do.
========================================================
July 1, 2003

Via Federal Express

Mr. Michael Paris
Lockdown Corp.
44-P Dover Point Office Park
Dover, New Hampshire 03820

Re: D Squared Solutions, LLC

Dear Mr. Paris:

This letter concerns Lockdown Corp.’s (“Lockdown”) recent online posting of certain defamatory statements and personal and private information related to our client, D Squared Solutions, LLC (“D Squared”), and its president, Anish Dhingra.

As set forth in detail below Lockdown’s actions amount to both common law and statutory liability for invasion of privacy, as well as liability for libel per se. In light of these transgressions, we demand Lockdown immediately remove any and all defamatory statements and postings regarding Mr. Dhingra and D Squared, and all personal and private information concerning Mr. Dhingra and D Squared from Lockdown’s Internet web sites, and refrain from all future such publications and postings. Failure to take these remedial steps will result in serious legal consequences.

In addition, it appears as if some of the information you have posted was obtained by you in connection with a business transaction in which you sold a product to our client. If this is true, your liability would be substantially magnified.

Background.

In the past few days, Mr. Dhingra learned he, and his company, had become the target of a smear campaign instituted, and perpetuated, by Lockdown. Specifically, Mr. Dhingra discovered a litany of derogatory comments lodged by Lockdown against D Squared, and himself, personally, on Lockdown’s www.spam-slammer.com Internet web site. Among Lockdown’s remarks were charges D Squared’s business practices were “unethical” and “underhanded,” and D Squared and Mr. Dhingra were “hypocritical scumbags.” Lockdown also posted significant pieces of personal and private information about Mr. Dhingra, and D Squared, on its web site and promised to publish additional personal information in the near future. Finally, Lockdown invited visitors to its web site to contact Mr. Dhingra, and D Squared, directly to discuss the disdainful allegations levied at them by your company.

Cease and Desist Demand.

We find Lockdown’s actions disturbing, to say the least. The opprobrious characterizations of D Squared and its personnel which appear on Lockdown’s web site are not only untruthful, but serve no legitimate purpose other than to undermine D Squared’s software development business. Indeed, these statements constitute libel per se, allowing Mr. Dhingra and D Squared to bring claims against your company without a showing of special damages. Additionally, the public disclosure of sensitive personal and private information of Mr. Dhingra and D Squared clearly treads upon their privacy rights. Lockdown’s conduct, therefore, offers ample support for our contention Lockdown is in violation of California’s common law and statutory invasion of privacy prohibitions, and liable for libel per se, as well.

Mr. Dhingra and D Squared take their legal rights very seriously, and we hope you do, too. While we wish to achieve an informal resolution to this matter, we will bring all legal resources to bear which are necessary and proper to advance our position in this dispute, and prevent further publication of both defamatory statements, and personal information, concerning Mr. Dhingra and D Squared.

To avoid such eventuality, we hereby demand the following: (i) Lockdown must remove any and all defamatory, disparaging, and/or reproachful statements concerning Mr. Dhingra and/or D Squared from its www.spam-slammer.com web site, and any additional web sites where Lockdown, or any of its affiliates, may also post such statements; (ii) Lockdown must remove any and all personal and private information concerning Mr. Dhingra and/or D Squared from its www.spam-slammer.com web site, and any additional web site where Lockdown, or any of its affiliates, may also post such information; and (iii) Lockdown, and its affiliates, must refrain from engaging, or assisting others in engaging, in any of the foregoing actions, at anytime in the future. Lockdown has five (5) business days from the date of this letter to comply.

Failure to completely and timely satisfy these demands will cause Mr. Dhingra and D Squared to initiate an action for libel per se, common law invasion of privacy, and statutory invasion of privacy against you in United States federal district court.

Thank you, in advance, for your cooperation. Please feel free to contact me should you wish to discuss the contents of this letter, or any other issue, in greater detail.

Sincerely,

JACOB C. REINBOLT, of
Procopio, Cory, Hargreaves
& Savitch LLP
JCR:ctm

reply to NetWatchMan
Personally judging by his alleged actions, I don't think Mr. Anish Dhingra has sufficient personal integrity to be running a software business, based on what appears to be his messenger spamming with falsified origin IP addresses.

Taking actions that promote anti-Chinese racial hatred, and asking for money to stop bothering people, and falsifying a statement of origin to blame someone else for one's actions, is just unacceptable behaviour, in our profession at least.

Mr. Anish Dhingra might have better success practicing law if it turns out he has really being doing all that is alleged.

reply to NetWatchMan
Maybe Square D deserves its own thread. I wonder if that can be arranged?

I just called and left a message on their machine offering them to enroll in my Call Protection System. For 24.95, I will ensure that they don't receive any more telephone calls from me.

reply to NetWatchMan
»www.terraserver.microsoft.com./a···CA+92122

reply to NetWatchMan
While the intent of pursuing this spammer is noble, I think we should try to stick to the original intent of »/useremail/u/342913 's when he posted this thread.

I agree that going after the spamvertised site is a good idea, however I can also see merit in Mr Baldwin deeloping software tools that could be used to track down someone who is forging IP's.

I wish I had the technical ability to assist in this endeavor. I will read the links in the OP to try to figure it out...
--
Don't Feed the Trolls----Click 'Hey mods' instead!:) »Auto Chat

reply to NetWatchMan

Agreed. Folks, please stick to the main subject.

reply to TA63
Except that we've already found the ISP through these other means, right? Its Roadrunner.

I perceived the original intent as assistance with developing/testing the software tool that can be used to "triangulate" the source of the forged ip messenger spam.

If this tool can be properly developed, it can reduce the ability of the spammer to hide.

Good for "us" bad for "them".
--
Don't Feed the Trolls----Click 'Hey mods' instead!:) »Auto Chat

reply to NetWatchMan

said by NetWatchMan:

---

So I ask anyone here that wants to participate and has the ability to take full packet captures of inbound Messenger spam to capture packets from this IP and email them to me.

---

reply to TA63

said by TA63:

---

I perceived the original intent as assistance with developing/testing the software tool that can be used to "triangulate" the source of the forged ip messenger spam.

If this tool can be properly developed, it can reduce the ability of the spammer to hide.

---